[Full-Disclosure] RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines?
> -Original Message- > From: [EMAIL PROTECTED] > Sent: Thursday, February 17, 2005 5:01 PM > Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines? > > Hello List, > > Does anyone have a list of query URLs used by W32/MyDoom-O > (Sophos name: > http://www.sophos.com/virusinfo/analyses/w32mydoomo.html) > to dig e-mail addresses from search engines? Here are examples of the 4 URLs used by that virus, where %domain% is like the comcast.net in my email address => #1 - www.altavista.com GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.altavista.com Connection: Keep-Alive #2 - www.google.com GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.google.com #3 - Search.Lycos.com GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: search.lycos.com #4 - search.yahoo.com GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: search.yahoo.com > Are these specific enough that there's a chance to catch them > in the config of a web proxy (e.g. Squid) and avoid being > "blacklisted" by the search engines? (seems to me that Google > temporarily blacklists IPs that drown them under such requests) You could use an IDP signature to block the requesting traffic. > Greets, > _Alain_ Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] phpBB Worm writers are dumb
I forget who initially mentioned this but I recall in one off-the-record conversation that virus authoring groups rarely have a QA department. For this, white hats and security professionals can be thankful. Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums
> -Original Message- > On Behalf Of Willem Koenings > Subject: Re: [Full-Disclosure] RE: Worm hitting PHPbb2 Forums > > Mark wrote: > > > This exploit is becoming frequent. Normally uploading a ddos bot. > > what kind of a bot is uploaded? does anyone have a sample to > contribute me? > > W. A bot is not uploaded, not sure where that came from. And by now, it is not expected to be spreading at all, thanks to the interruption in search requests by Google. Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
> If Google were to block this particular pattern of search > request it would stop the spread of the worm for now. > > -Joe > > -- > Joe Stewart, GCIH > Senior Security Researcher > LURHQ http://www.lurhq.com/ I believe it is blocked now [thanks Google]. Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: E-Mail viruses
> [EMAIL PROTECTED] > > On Fri, 05 Mar 2004 13:36:10 CST, Curt Purdy said: > > > ... Legitimate senders would rename the file, be it > > .exe .doc .jpg, indicate in the body of the message what the true > > extension is, and the receiver merely renames it... > > So let's see.. the same bozos who read the text part of the > virus, get the password, and use that to unzip the rest of > the virus won't read the text part, get the rename to do, and. I was thinking a similar thought -- it's just the same bypass; renaming the extension as using other text in the body to extract the attachment. In a good scenario, the recipient checks with the sender via phone to verify what was sent. Regards, Patrick Nolan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Fake Email
> -Original Message- > From: Tiago Halm > > Hi, > > Just received an email from "[EMAIL PROTECTED]" with an > attachment "remove-lsass_tool.exe" > You are describing symptoms of W32/Sober.C-mm, a mass-mailing virus. The email subject lines and body text are variable. Regards, Patrick Nolan - Fortinet Inc web - www.fortinet.com eml - pnolan at fortinet.com vir - submitvirus at fortinet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] To idiots that post to every thread on FD
- Original Message - From: "Raymer, Dan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> | Hey Pot! I'm the Kettle! You're black! Yeps, was gonna say something almost identical. Instead, how about me thinks the catfood stinks or me thinks the catfood doest protest too much Regards, Patrick Nolan Virus Researcher - Fortinet Inc. pnolan at fortinet dot com To Submit A Virus: pkzip/winzip password infected to- submitvirus at fortinet dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (Fwd) Re: more malformed DNS queries
I've seen one Trojan that matches this - W32/Calypso-tr (aka BKDR_CALYPS.A). http://www.fortinet.com/FortiResponseCenter/ (see W32/Calypso-tr) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_CALYPS. A Regards, Patrick Nolan Virus Researcher - Fortinet ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
